October 21, 2020

Volume X, Number 295

October 20, 2020

Subscribe to Latest Legal News and Analysis

October 19, 2020

Subscribe to Latest Legal News and Analysis

EDPB Issues Data Transfer FAQs in the Post Privacy Shield Area

The Court of Justice of the European Union (CJEU)’s historic decision in Schrems II, in which the EU-U.S. Privacy Shield was invalidated, requires businesses to rethink the mechanism they can rely on to transfer personal data from the EU to the United States and other countries. After several EU data protection authorities (DPAs) published their reactions, the European Data Protection Board (EDPB), an association comprising, inter alia, national DPAs of all EU Member States, presented its guidance in form of an FAQ.

At the time of its publication, the guidance comprises 12 FAQs. It will be updated with further analysis. While the EDPB notes that supplementary measures may be necessary when using standard contractual clauses (SCCs), it fails to specify what that means but promises to provide more guidance in the future. Summarized below are the key takeaways from the EDPB’s guidance.

In General:

  • There is no grace period for EU- U.S. Privacy Shield certified organizations to put in place a new transfer mechanism. (FAQ 3)
  • Transfers based on the EU-U.S. Privacy Shield are illegal. (FAQ 4)

On the use of SCCs (FAQ 5, 9):

  • If the country of destination does not provide sufficient protection, SCCs may still serve as a transfer mechanism, if supplementary measures are put in place. The EDPB is currently analysing and will issue further guidance on the necessary supplementary measures.
  • Parties to the transfer should suspend/end the transfer, or inform the DPA, if SCCs are still used (a) without the country of destination providing an adequate level of protection, and (b) without the supplementary measures.

On the use of Binding Corporate Rules (BCRs) (FAQ 6, 9):

  • In principle, the Schrems II judgment applies to BCRs as well.
  • In relation to BCRs, companies should assess the law of the country of destination, put in place supplementary measures if the level is not adequate, and inform the DPA if the transfer continues. If supplementary measures are not put in place, transfers should end.

On the use of Art. 49 GDPR exceptions (FAQ 8):

  • Use of Art. 49 GDPR derogations (e.g., explicit, specific, and informed consent; for occasional transfers related to a contract; transfers necessary for important reasons of public interest, as recognized by the EU Member States), may be permissible depending on the circumstances.

When none of the transfer options work, data should be localized(FAQ 12):

  • If data controllers use data processors that transfer data to the US, the EDPB states “the only solution is to negotiate an amendment or supplementary clause to your contract to forbid transfers to the U.S.” The EDPB further notes that: “If no suitable ground for transfers to a third country can be found, personal data should not be transferred outside the EEA territory and all processing activities should take place in the EEA.”
©2020 Greenberg Traurig, LLP. All rights reserved. National Law Review, Volume X, Number 206


About this Author

Viola Bensinger, Greenberg Traurig Law Firm, Germany, Cybersecurity Litigation Attorney

Viola Bensinger chairs the Technology Practice as well as the Litigation Practice in Germany. She advises clients from the technology, media and healthcare industries.

Within the technology sector, Viola advises international internet, technology and healthcare companies in the areas of digital products, e-commerce, electronic payment, data protection, software licensing, (IT-) outsourcing as well as digital media.

49 -030700-171-150
Gretchen A. Ramos, Lawyer, Greenberg Traurig, Data, Privacy & Cybersecurity,The Cloud,Artificial Intelligence, Big Data

Gretchen A. Ramos is Co-Chair of the Data, Privacy & Cybersecurity Practice and focuses her practice on privacy, cybersecurity, and information management. A creative problem-solver with a long track record of success in commercial disputes, she never loses sight of the simple fact that she works in a service industry. Clients appreciate not only her legal skills, but also her direct, no-nonsense approach to client service, including her bullet-pointed emails, snapshot executive summaries, and creativity in finding ways to streamline communications for in-house counsel with dozens of other projects—and little time—on their hands.

Gretchen’s clients come from diverse industries, including technology (SaaS), health care and life sciences, consumer products, manufacturing, academic institutions, and non-profits. She provides clients with practical business advice on compliance with state and federal U.S. laws, GDPR, APEC, and other global privacy laws in relation to their external and internal privacy and security procedures, product and app development, and advertising practices. Gretchen also regularly drafts and negotiates contracts concerning data-related vendors, assists clients in assessing privacy risks in corporate transactions, and provides guidance on and conducts privacy and security assessments. She has managed dozens of data breaches, and helps clients prepare for and immediately respond to security incidents and breaches.

Gretchen works closely with her clients to manage data and leverage its value in ways to meet compliance obligations as well as deliver value to the business and instill consumer trust. Her experience working with various industries allows her to quickly assess options and risks, and guide clients, including numerous genomic data companies, in resolving complicated privacy issues.

Gretchen has litigated, mediated, and arbitrated commercial disputes, including class actions, at state and federal courts nationwide, and has tried numerous cases to verdict. Her wide-ranging litigation background allows her to advise clients on the litigation risks they face in determining how to handle data privacy issues. In addition to providing compliance advice, Gretchen defends companies facing FTC and other regulatory investigations, and individual and class action claims involving privacy, information security, and consumer protection.


  • EU GDPR compliance

  • Cross-border transfer mechanisms (Standard Contractual Clauses, Privacy Shield, Binding Corporate Rules), and data processing agreements

  • FTC CIDs, State Attorney General investigations

  • Behavioral advertising, automated processing and profiling

  • Security breach response and notification

  • DPIAs and addressing complicated privacy issues relating to product development


  • Privacy and security gap assessments

Carsten Kociok, Greenberg Traurig Law Firm, Germany, Cybersecurity and Technology, Finance Litigation Attorney

Carsten Kociok focuses his practice on the technology, media and telecommunications industries. He has broad experience in the areas of Internet, information technology, electronic and mobile payments and new media, as well as regulatory and data protection law issues.

Carsten advises national and international companies from the Internet, payments and technology industries on the commercial and regulatory side of their business, in particular in the areas of e-commerce and e-business, electronic and mobile payments, service distribution,...

Dr. Johanna Hofmann Data Security Lawyer Greenberg Traurig Law Firm Germany

Johanna Hofmann advises German and international companies and groupt of companies on all questions of data protection and IT security law. The focus of her work is on the data protection-compliant structuring of existing and future business relationships, both on a national and international level. Her field of interest lays in particular in the field of cloud computing, data protection certification and data security management. Through long-term secondments at a German group of companies and at the German subsidiary of a US-American technology group, Johanna has gained deep insights...

49 30.700.171.291